A major eight-month study involving nearly 20,000 healthcare workers has revealed that standard corporate cybersecurity training programmes provide little protection against phishing attacks, challenging widespread industry practices.
Researchers from UC San Diego examined 19,500 employees at UC San Diego Health through a randomised controlled trial using ten different phishing campaigns. The investigation found no meaningful correlation between recent completion of mandatory annual cybersecurity training and employees’ susceptibility to phishing emails.
The study also assessed embedded training systems, where workers receive anti-phishing guidance after engaging with test phishing emails sent by their organisations. This approach reduced click-through rates by just 2%, despite requiring significant time and resources to implement.
“Taken together, our results suggest that anti-phishing training programs, in their current and commonly deployed forms, are unlikely to offer significant practical value in reducing phishing risks,” the researchers concluded.
The findings prove particularly concerning given phishing’s role as the leading cause of cybersecurity breaches, accounting for 16% of successful attacks according to IBM’s 2023 analysis. Healthcare organisations face heightened risks, with the US Department of Health and Human Services recording over 725 major data breach incidents affecting 133 million health records in 2023 alone.
During the eight-month trial period, researchers observed deteriorating employee performance over time. Initial click rates of 10% in month one climbed to over 50% by month eight, suggesting training effects diminish rapidly.
The study highlighted dramatic variations in phishing email effectiveness. While only 1.82% of recipients clicked malicious links requesting Outlook password updates, 30.8% engaged with emails claiming to announce changes to vacation policies.
Grant Ho, study co-author and University of Chicago faculty member, noted that 75% of users spent one minute or less engaging with embedded training materials, with one-third closing training pages immediately without reviewing content.
“This does lend some suggestion that these trainings, in their current form, are not effective,” said Ariana Mirian, paper co-author who completed the work as a UC San Diego PhD student.
The researchers advocate redirecting cybersecurity investments towards technical solutions rather than human-focused training programmes. They specifically recommend implementing two-factor authentication across hardware and applications, alongside password managers configured to function only on legitimate domains.
The research team presented their findings at the Blackhat conference in Las Vegas during August and previously shared results at the IEEE Symposium on Security and Privacy in San Francisco during May.
